Blockchain-based public ecosystem for auditing security of software applications

Abstract

Over the years, software applications have captured a big market ranging from smart devices (smartphones, smart wearable devices) to enterprise resource management including Enterprise Resource Planning, office applications, and the entertainment industry (video games and graphics design applications). Protecting the copyright of software applications and protection from malicious software (malware) have been topics of utmost interest for academia and industry for many years. The standard solutions use the software license key or rely on the Operating System (OS) protection mechanisms, such as Google Play Protect. However, some end users have broken these protections to bypass payments for applications that are not free. They have done so by downloading the software from an unauthorised website or by jailbreaking the OS protection mechanisms. As a result, they cannot determine whether the software they download is malicious or not. Further, if the software is uploaded to a third party platform by malicious users, the software developer has no way of knowing about it. In such cases, the authenticity or integrity of the software cannot be guaranteed. There is also a problem of information transparency among software platforms. In this study, we propose an architecture that is based on blockchain technology for providing data transparency, release traceability, and auditability. Our goal is to provide an open framework to allow users, software vendors, and security practitioners to monitor misbehaviour and assess software vulnerabilities for preventing malicious software downloads. Specifically, the proposed solution makes it possible to identify software developers who have gone rogue and are potentially developing malicious software. Furthermore, we introduce an incentive policy for encouraging security engineers, victims and software owners to participate in collaborative works. The outcomes will ensure the wide adoption of a software auditing ecosystem in software markets, specifically for some mobile device manufacturers that have been banned from using the open-source OS such as Android. Consequently, there is a demand for them to verify the application security without completely relying on the OS-specific security mechanisms.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

References

  1. 1.

    McGee MK (2015) FBI alerts hospital to malware incident. https://www.databreachtoday.com/fbi-alerts-hospital-to-malware-incident-a-8710

  2. 2.

    Suryani V, Sulistyo S, Widyawan W (2017) Internet of Things (IoT) framework for granting trust among objects. J Inf Process Syst 13(6)

  3. 3.

    Cimpanu C (2017) HummingBad Android malware found in 20 Google Play Store apps. https://www.bleepingcomputer.com/news/security/hummingbad-android-malware-found-in-20-google-play-store-apps/#:~:text=Catalin%20Cimpanu&text=HummingBad%2C%20an%20Android%20malware%20estimated,Store%2C%20passing%20Google’s%20security%20checks

  4. 4.

    Lakeshmanan R (2019) ‘Agent Smith’ malware replaces legit android apps with fake ones on 25 million devices. https://thenextweb.com/news/agent-smith-malware-replaces-legit-android-apps-with-fake-ones-on-25-million-devices

  5. 5.

    Cimpanu C (2018) Malware found in arch linux aur package repository. https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/#:~:text=Catalin%20Cimpanu&text=Malware%20has%20been%20discovered%20in,intervention%20of%20the%20AUR%20team

  6. 6.

    SophosLabs, “who’s your verisign?”—malware faking digital signatures (2010). https://nakedsecurity.sophos.com/2010/06/23/trojbhoqp-verisign

  7. 7.

    Li D, Li Q (2020) Adversarial deep ensemble: evasion attacks and defenses for malware detection. IEEE Trans Inf Forensics Secur 15:3886–3900

    Article  Google Scholar 

  8. 8.

    Chen Y, Shan Z, Liu F, Liang G, Zhao B, Li X, Qiao M (2019) A gene-inspired malware detection approach. In: Journal of physics: conference series, vol. 1168. IOP Publishing, p 062004

  9. 9.

    Zhou Q, Feng F, Shen Z, Zhou R, Hsieh M-Y, Li K-C (2019) A novel approach for mobile malware classification and detection in Android systems. Multimed Tools Appl 78(3):3529–3552

    Article  Google Scholar 

  10. 10.

    Elish KO, Shu X, Yao DD, Ryder BG, Jiang X (2015) Profiling user-trigger dependence for Android malware detection. Comput Secur 49:255–273

    Article  Google Scholar 

  11. 11.

    Mahindru A, Singh P (2017) Dynamic permissions based Android malware detection using machine learning techniques. In: Proceedings of the 10th innovations in software engineering conference. ACM, pp 202–210

  12. 12.

    Isohara T, Takemori K, Kubota A (2011) Kernel-based behavior analysis for Android malware detection. In: 2011 Seventh international conference on computational intelligence and security. IEEE, pp 1011–1015

  13. 13.

    Suarez-Tangil G, Tapiador JE, Peris-Lopez P, Ribagorda A (2013) Evolution, detection and analysis of malware for smart devices. IEEE Commun Surv Tutor 16(2):961–987

    Article  Google Scholar 

  14. 14.

    Barrera D, Kayacik HG, Van Oorschot PC, Somayaji A (2010) A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM conference on Computer and communications security. ACM, pp 73–84

  15. 15.

    Nataraj L, Karthikeyan S, Jacob G, Manjunath B (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security. ACM, p 4

  16. 16.

    Kalash M, Rochan M, Mohammed N, Bruce ND, Wang Y, Iqbal F (2018) Malware classification with deep convolutional neural networks. In: 2018 9th IFIP international conference on new technologies. Mobility and security (NTMS). IEEE, pp 1–5

  17. 17.

    Venkatraman S, Alazab M, Vinayakumar R (2019) A hybrid deep learning image-based analysis for effective malware detection. J Inf Secur Appl 47:377–389

    Google Scholar 

  18. 18.

    Wang C, Ding J, Guo T, Cui B (2017) A malware detection method based on sandbox, binary instrumentation and multidimensional feature extraction. In: International conference on broadband and wireless computing. Springer, Communication and Applications, pp 427–438

  19. 19.

    Čisar P, Joksimović D (2019) Heuristic scanning and sandbox approach in malware detection. Archibald Reiss Days 9(2)

  20. 20.

    Shan Z, Wang X, Chiueh T (2012) Enforcing mandatory access control in commodity os to disable malware. IEEE Trans Dependable Secure Comput 9(4):541–555

    Article  Google Scholar 

  21. 21.

    Xing L, Pan X, Wang R, Yuan K, Wang X (2014) Upgrading your Android, elevating my malware: privilege escalation through mobile OS updating. In: 2014 IEEE symposium on security and privacy. IEEE, pp 393–408

  22. 22.

    Drew J, Moore T, Hahsler M (2016) Polymorphic malware detection using sequence classification methods. In: 2016 IEEE security and privacy workshops (SPW). IEEE, pp 81–87

  23. 23.

    Drew J, Hahsler M, Moore T (2017) Polymorphic malware detection using sequence classification methods and ensembles. EURASIP J Inf Secur 1:2

    Article  Google Scholar 

  24. 24.

    Alzaylaee MK, Yerima SY, Sezer S (2017) Emulator vs real phone: Android malware detection using machine learning. In: Proceedings of the 3rd ACM on international workshop on security and privacy analytics. ACM, pp 65–72

  25. 25.

    Chin E, Felt AP, Greenwood K, Wagner D (2011) Analyzing inter-application communication in Android. In: Proceedings of the 9th international conference on mobile systems, applications, and services. ACM, pp 239–252

  26. 26.

    Yuxin D, Siyi Z (2019) Malware detection based on deep learning algorithm. Neural Comput Appl 31(2):461–472

    Article  Google Scholar 

  27. 27.

    Demetrio L, Biggio B, Lagorio G, Roli F, Armando A, Explaining vulnerabilities of deep learning to adversarial malware binaries. arXiv:1901.03583

  28. 28.

    Srivastava V, Biswas B (2018) Mining on the basis of similarity in graph and image data. In: International conference on advanced informatics for computing research. Springer, pp 193–203

  29. 29.

    Ali M, Shiaeles S, Papadaki M, Ghita BV (2018) Agent-based vs agent-less sandbox for dynamic behavioral analysis. In: 2018 Global information infrastructure and networking symposium (GIIS). IEEE, pp 1–5

  30. 30.

    Jain S, Choudhury T, Kumar V, Kumar P (2018) Detecting malware and analysing using sandbox evasion. In: 2018 International conference on communication, computing and internet of things (IC3IoT). IEEE, pp 111–116

  31. 31.

    Darshan SS, Kumara MA, Jaidhar C (2016) Windows malware detection based on cuckoo sandbox generated report using machine learning algorithm. In: 2016 11th international conference on industrial and information systems (ICIIS). IEEE, pp 534–539

  32. 32.

    Du Y, Liu C, Su Z (2019) Detection and suppression of malware based on consortium blockchain. In: IOP conference series: materials science and engineering, vol. 490. IOP Publishing, p 042031

  33. 33.

    Herbert J, Litchfield A (2015) A novel method for decentralised peer-to-peer software license validation using cryptocurrency blockchain technology. In: Proceedings of the 38th Australasian computer science conference (ACSC 2015), vol. 27. p 30

  34. 34.

    Homayoun S, Dehghantanha A, Parizi RM, Choo K-KR (2019) A blockchain-based framework for detecting malicious mobile applications in app stores. In: 2019 IEEE Canadian conference of electrical and computer engineering (CCECE). IEEE, pp 1–4

  35. 35.

    Doffman Z (2019) Cybercrime: 25% of all malware targets financial services, credit card fraud up 200% . https://www.forbes.com/sites/zakdoffman/2019/04/29/new-cyber-report-25-of-all-malware-hits-financial-services-card-fraud-up-200/#47ec59807a47

  36. 36.

    Ashford W (2013) Malware hits US power plants. https://www.computerweekly.com/news/2240176164/Two-US-power-plants-hit-by-malware

  37. 37.

    Kumar G, Saha R, Rai MK, Thomas R, Kim T-H (2019) Proof-of-work consensus approach in blockchain technology for cloud and fog computing using maximization-factorization statistics. IEEE Internet Things J 6(4):6835–6842

    Article  Google Scholar 

  38. 38.

    Laurie B (2014) Certificate transparency. Commun ACM 57(10):40–46

    Article  Google Scholar 

  39. 39.

    Androulaki E, Barger A, Bortnikov V, Cachin C, Christidis K, De Caro A, Enyeart D, Ferris C, Laventman G, Manevich Y et al (2018) Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the thirteenth EuroSys conference. pp 1–15

  40. 40.

    Xiao G, Li J, Chen Y, Li K (2020) Malfcs: an effective malware classification framework with automated feature extraction based on deep convolutional neural networks. J Parallel Distrib Comput 141:49–58

    Article  Google Scholar 

  41. 41.

    Agrawal P, Trivedi B (2020) Automating the process of browsing and downloading apk files as a prerequisite for the malware detection process. Int J Emerg Trends Technol Comput Sci (IJETTCS) 9(2):013–017

    Google Scholar 

  42. 42.

    AV-test, Av test the idndependent it-security insitute (2020). https://www.av-test.org/en/

  43. 43.

    Cunningham E (2017) Keeping you safe with google play protect. https://support.google.com/googleplay/answer/2812853?hl=en

  44. 44.

    Spathoulas G, Collen A, Pandey P, Nijdam NA, Katsikas S, Kouzinopoulos CS, Moussa MB, Giannoutakis KM, Votis K, Tzovaras D (2018) Towards reliable integrity in blacklisting: facing malicious IPs in ghost smart contracts. In: 2018 innovations in intelligent systems and applications (INISTA). IEEE, pp 1–8

  45. 45.

    Huang C, Wang Z, Chen H, Hu Q, Zhang Q, Wang W, Guan X Repchain: a reputation based secure, fast and high incentive blockchain system via sharding. arXiv:1901.05741

  46. 46.

    Pereira S, Satish S (2013) Communication-based host reputation system, US Patent 8,381,289

  47. 47.

    Microsoft, Microsoft malware classification challenge (big 2015) (2018). https://www.kaggle.com/c/malware-classification

  48. 48.

    Siriwardena P (2017) The mystery behind block time. https://medium.facilelogin.com/the-mystery-behind-block-time-63351e35603a

  49. 49.

    Dabbagh M, Choo K-KR, Beheshti A, Tahir M, Safa NS (2021) A survey of empirical performance evaluation of permissioned blockchain platforms: challenges and opportunities. Comput Secur 100:102078

    Article  Google Scholar 

  50. 50.

    Zhang J, Gao J, Wu Z, Yan W, Wo Q, Li Q, Chen Z (2019) Performance analysis of the libra blockchain: an experimental study. In: 2019 2nd International conference on hot information-centric networking (HotICN). IEEE, pp 77–83

Download references

Acknowledgements

We thank the anonymous reviewers for their valuable comments, which helped us improve the content, organisation, and presentation of this work.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Muhammad Rizwan Asghar.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hu, Q., Asghar, M.R. & Zeadally, S. Blockchain-based public ecosystem for auditing security of software applications. Computing (2021). https://doi.org/10.1007/s00607-021-00954-6

Download citation

Keywords

  • Blockchain
  • Software audit
  • Security evaluation
  • Software security

Mathematics Subject Classification

  • 68N01